The South Carolina Department of Revenue is located on Gervais Street in Columbia. Thursday, October 25, 2012. / Heidi Heilbrunn/Staff

Written by

Staff writer

COLUMBIA — Nearly two months after publicly disclosing a massive data breach at the Department of Revenue, state officials are unsure just what kind of weaknesses exist in state agencies’ cyber security.

The State Budget and Control Board — the five-member board that oversees the state’s administrative agency as well as state financial decisions — took the first step to find out Wednesday when it authorized hiring a consultant to craft a bid for a firm to assess the state’s security and develop a statewide cyber security firm.

The board also approved a $20.1 million loan to the Revenue Department to handle some of the state’s response to the hacking.

“Us moving fast after this crisis was very, very important,” Gov. Nikki Haley told the board. “Every other agency is still getting pinged at this point. We are not exempt from this. Waiting on the legislative session to decide on an RFP (request for proposal) is allowing more risk.”

Marcia Adams, executive director of the State Budget and Control Board, said the vendor selected to help create a statewide cyber security plan first will look at each agency to assess its security.

“We really don’t know what we have in the state,” Adams said of cyber security at each agency.

State Inspector General Patrick Maley told the panel about his report on the status of cyber security among agencies, which relied on opinions by 18 chief information officers, officials with the state’s Division of Information Technology and others to conclude the overall security for the state is “less than adequate.”

Maley has said his investigation into the hacking shows that many state agency chief information officers, the officials who run agency computer networks, believe the state’s cyber security posture is poor.

He recommends that the state create a cyber security program, establish the position of chief information security officer, and create an entity to accept responsibility for the security program and the authority to create policies. The report also recommends the hiring of a private consultant to help the state craft a security program and implement it.

(Page 2 of 3)

Haley asked the inspector general to review cyber security at all state agencies. She has said she expects the state to hire a consultant to help build a statewide plan.

About 100 agencies, commissions, boards, colleges and universities operate computers in state government, but there is no centralized control of their security and operations.

On a scale of one to five, with five being the high and one being very low, 15 of 18 information officers rated statewide information security as either low or very low. Their rating averaged 1.7.

Eight of the officers rated their own agencies’ capabilities as low or very low, according to Maley’s investigation.

Another eight rated the threat level of a breach as high.

He said one information security officer said cyber security is less than adequate statewide.

Seeking an expert

Sen. Hugh Leatherman, chairman of the Senate Finance Committee and a member of the board, said he wasn’t trying to slow the process down but did want to be sure that expertise was used in finding the right firm to assess agencies and develop a statewide plan.

The board voted to hire a consultant to help draft the RFP, which the board will then examine before it is issued. Adams said it may be late January before the RFP is complete.

Since the breach was disclosed by Haley on Oct. 26, the Department of Revenue has moved to fix its primary vulnerabilities, encrypting all its data and installing a dual-password system. In addition, the agency is now using a computer network monitoring system offered for free by the Information Technology office.

The hacking exposed 3.8 million Social Security numbers, 3.3 million bank account numbers and information from almost 700,000 businesses.

The first intrusion into the Revenue Department’s computers began in August, unnoticed by any officials operating its computer system.

It wasn’t until Oct. 10 that the computer crimes office of the U.S. Secret Service discovered that a foreign hacker had taken a database from the department’s computers, exposing taxpayers’ Social Security numbers and credit and debit card numbers. It was one of the largest computer breaches in the state or nation.

(Page 3 of 3)

Three more breaches followed — the first, another “browse” on Sept. 3, and then two more, concluding with the data theft on Sept. 13, according to James Etter, former director of the Department of Revenue.

A Secret Service agent, Mike Williams, said the agency’s computer crimes office first uncovered the intrusion and notified state authorities.

Notices sent out

Taxpayers are now being notified by email or postal mail if their information was exposed. Credit monitoring is being offered for taxpayers and businesses for the next year. Although the U.S. Secret Service and the State Law Enforcement Division have been investigating the hacking since Oct. 10, no arrests have been announced.

The $20.1 million loan to the Department of Revenue will come from the state Insurance Reserve Fund and is to be repaid by next October. The board expects the money to be repaid by the Legislature.

Among the expenses covered by the loan are: a $12 million contract with Experian, which is providing credit monitoring for a year; $5.6 million for encryption and dual passwords at the Department of Revenue; $1.3 million for direct mail notification of taxpayers; $750,000 for the services of Mandiant, the cyber security firm hired by the Department of Revenue to investigate and fix the breach; $300,000 for the law firm of Nelson Mullins, which provided legal advice to the Department of Revenue; $200,000 for public relations work by the firm of Chernoff Newman of Columbia; and $20,000 for the electronic searching of taxpayers living outside South Carolina.

Haley said she plans to press lawmakers to repay the $20 million, even if it has to be done over two years.

Two legislative committees are investigating what happened with the breach and how the state can improve its security.

House Majority Leader Bruce Bannister of Greenville is chairing the House committee, which begins its work today by listening to officials from Mandiant, the Department of Revenue and Experian, the credit monitoring service the state will pay $12 million. The Senate panel, headed by Sen. Kevin Bryant of Anderson, began its hearings last month.

“I anticipate we will go over a lot of the same ground as we come to different conclusions about what that means,” Bannister said. “As time passes, people’s testimony and perspective changes and new things come to light. So whoever goes first is at a disadvantage. We get to build on what they heard.”

Bryant’s committee will hear from the Department of Consumer Affairs, which compiles a report each year of data breaches; the South Carolina Bankers Association; and Experian. Bryant has said he wants to see what banks are doing to protect their data that the state might learn from.